Health Care

GDPR Enforcement Tracker Report - Health Care


So far, 13 DPAs have imposed 17 fines on hospitals, physicians and a medicine supplier amounting to a total of more than EUR 1.53 million.

It is noteworthy that the group of fines related to insufficient technical and organisational measures, and hence a lack of data security, is the biggest both with regard to the number of fines (eight) and the total amount (EUR 1,394,600). Apart from that, four fines were levied due to the lack of a legal basis for processing, adding up to a total of around EUR 72,500.

Let's take a closer look

  • In three cases, notable fines concerned deficient access management systems of hospitals that allowed excessive access by unauthorised persons, i.e. EUR 30,000 in Italy, EUR 400,000 in Portugal and EUR 460,000 in the Netherlands.
  • The British Information Commissioner’s Office issued its first ever GDPR fine to London‑based pharmacy Doorstep Dispensaree Limited. A substantial penalty of EUR 320,000 was imposed due to a violation of TOMs – the company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers, medical information and prescriptions in unsealed containers at the rear of its premises. This was not only insufficient to guard the documents against unauthorised access, but also against accidental destruction such as water damage.
  • In Germany, a hospital was fined EUR 105,000 for mixing up patients on admission, resulting in incorrect invoicing.

Main takeaway

In the health care sector, with its particularly sensitive data, data protection will continue to play a key role. A main focus in the health care sector is to ensure protection of personal data through adequate security measures. Such data security measures should in particular be a key consideration when new processes or systems are introduced, in terms of both planning and implementation. Providers should also not underestimate the importance of a functioning access management system, which should strictly follow the need-to-know principle.